change the signed token format. We don't folks to be able to submit random text for signing by us, as they could then use these to generate known signatures.

Zotlabs/Zot/Finger.php

@@ -110,7 +110,7 @@ class Finger {
 		if($x) {
 			$signed_token = ((is_array($x) && array_key_exists('signed_token',$x)) ? $x['signed_token'] : null);
 			if($signed_token) {
-				$valid = rsa_verify(self::$token,base64url_decode($signed_token),$x['key']);
+				$valid = rsa_verify('token.' . self::$token,base64url_decode($signed_token),$x['key']);
 				if(! $valid) {
 					logger('invalid signed token: ' . $url . $rhs, LOGGER_NORMAL, LOG_WARN);
 					return $ret;